HIPAA Privacy Standards
Medicare
IMPORTANT! Medicare Enrollment Delays Leave Doctors Out in the Cold - (2/23/04)
CMS
CMS Enrollment Regulation Elicits Physician Dread - (7/14/03)


Electronic Transactions
The information in this section has been excerpted from the Department of Health & Human Services web site.
Privacy Standards Overview
The information in this section has been excerpted from the Department of Health & Human Services web site.)
Code Sets and Unique Identifiers
The information in this section has been excerpted from the Department of Health & Human Services web site.
 

Privacy Standards Overview
The following information has been proposed by HHS, but no final rule has been issued as of the date of this publication. The information in this section has been excerpted from the Department of Health & Human Services web site, at http://aspe.os.dhhs.gov/admnsimp/final/pvcfact2.htm.
As noted below, the final rule for privacy standards took effect on April 14, 2001. As required by the HIPAA law, most covered entities have two full years - until April 14, 2003 - to comply with the final rule's provisions. The law gives HHS the authority to make appropriate changes to the rule prior to the compliance date.

Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. In the past, family doctors and other health care providers protected the confidentiality of those records by sealing them away in file cabinets and refusing to reveal them to anyone else. Today, the use and disclosure of this information is protected by a patchwork of state laws, leaving gaps in the protection of patients' privacy and confidentiality.
Congress recognized the need for national patient record privacy standards in 1996 when they enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The law included provisions designed to save money for health care businesses by encouraging electronic transactions, but it also required new safeguards to protect the security and confidentiality of that information. The law gave Congress until August 21, 1999, to pass comprehensive health privacy legislation.
When Congress did not enact such legislation after three years, the law required the Department of Health and Human Services (HHS) to craft such protections by regulation.

COMPLIANCE SCHEDULE
The final rule took effect on April 14, 2001. As required by the HIPAA law, most covered entities have two full years - until April 14, 2003 - to comply with the final rule's provisions. The law gives HHS the authority to make appropriate changes to the rule prior to the compliance date.

COVERED ENTITIES
As required by HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., electronic billing and funds transfers) electronically.

INFORMATION PROTECTED
All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the final rule.

CONSUMER CONTROL OVER HEALTH INFORMATION
Under the final rule, patients will have significant new rights to understand and control how their health information is used.
1. Patient education on privacy protections. Providers and health plans will be required to give patients a clear written explanation of how the covered entity may use and disclose their health information.
2. Ensuring patient access to their medical records. Patients will be able to see and get copies of their records, and request amendments. In addition, a history of non-routine disclosures must be made accessible to patients.
3. Receiving patient consent before information is released.
Health care providers who see patients will be required to obtain patient consent before sharing their information for treatment, payment, and health care operations. In addition, separate patient authorization must be obtained for nonroutine disclosures and most non-health care purposes.
Patients will have the right to request restrictions on the uses and disclosures of their information.
4. Providing recourse if privacy protections are violated.
People will have the right to file a formal complaint with a covered provider or health plan, or with HHS, about violations of the provisions of this rule or the policies and procedures of the covered entity.

BOUNDARIES ON MEDICAL RECORD USE AND RELEASE
With few exceptions, such as appropriate law enforcement needs, an individual's health information may only be used for health purposes.
1. Ensuring that health information is not used for non-health purposes. Health information covered by the rule generally may not be used for purposes not related to health care - such as disclosures to employers to make personnel decisions, or to financial institutions - without explicit authorization from the individual.
2. Providing the minimum amount of information necessary. In general, disclosures of information will be limited to the minimum necessary for the purpose of the disclosure. However, this provision does not apply to the disclosure of medical records for treatment purposes because physicians, specialists, and other providers need access to the full record to provide quality care.
Since this section was published on the HHS web site, there have been numerous changes proposed to this rule. If adopted, the changes would allow for treatment prior to obtaining a patient’s consent to release PHI in connection with treatment, payment and health care operations.

ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORDS USE AND RELEASE
In HIPAA, Congress provided penalties for covered entities that misuse personal health information.
1. Civil penalties. Health plans, providers and clearinghouses that violate these standards will be subject to civil liability. Civil money penalties are $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.
2. Federal criminal penalties. Under HIPAA, Congress also established criminal penalties for knowingly violating patient privacy. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

COMPLIANCE AND ENFORCEMENT
The final rule will be enforced by the HHS Office for Civil Rights (OCR). Before covered entities must comply with the rule, OCR will provide assistance to providers, plans and health clearinghouses in meeting the requirements of the regulation. A Web site on the new regulation is available at http://www.hhs.gov/ocr/hipaa/.

ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION
The final rule establishes the privacy safeguard standards that covered entities must meet, but it gives covered entities the flexibility to design their own policies and procedures to meet those standards. The requirements are flexible and scalable to account for the nature of each entity's business, and its size and resources. Covered entities generally will have to:
Adopt written privacy procedures. These include who has access to protected information, how it will be used within the entity, and when the information may be disclosed.
Covered entities will also need to take steps to ensure that their business associates protect the privacy of health information.
Train employees and designate a privacy officer. Covered entities will need to train their employees in their privacy procedures, and must designate an individual to be responsible for ensuring the procedures are followed.

The Health Insurance Portability and Accountability Act of 1996 is an important law, passed by Congress, which is expected to have a major impact on every healthcare organization in the country.

Title II of HIPAA, the Administrative Simplification Compliance Act, is a major component of the HIPAA legislation. The Act instructs the Department of Health & Human Services to adopt standards for transactions that are conducted electronically between healthcare providers and insurers, and between insurers.

The four components of Administrative Simplification are:
• Electronic Transactions
• Privacy Standards
• Code Sets & Unique Identifiers
• Security Standards & Electronic Signature

The goal of these provisions is to simplify the administrative burden placed on healthcare providers. Addition HIPAA Policy goals include:

• Protect the privacy of the patient by protecting their data
• Focus healthcare providers with the importance of security and privacy.
• Create a common set of standards for securing such data, whether on paper or electronically
• Improve efficiencies within the healthcare industry
• Require efficiencies and security in the transfer of patient information.

Specifically, the Department of Health and Human Services states in the Preamble to the Privacy Standards that the regulations are being instituted to:
1- Protect and enhance the rights of consumers
2 - Improve the quality of the healthcare system and restoring trust back in this system.
3- Improve the efficiency and effectiveness of healthcare delivery

 
Main Page | Products | Support | Partners | Contact | Demo | Client Login | Sitemap
Copyright © 2008 acentec, inc. All rights reserved. Privacy policy